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ANALYSIS OF PRODUCTION SCHEMATA BY PETRI NETS 



Abstract 



Petri nets provide a powerful graphical tool for representing 
and analyzing complex concurrent systems. Properties such as 
hang-up freeness, determinacy, conflict, concurrency and dependency, 
can be represented and studied. The precise relationship between 
structural and behavioral properties, and between local and 
global properties is not we 11 -understood for the most general class 
of Petri Nets. This thesis presents such results for a restricted 
class of Petri Nets called Free Choice Petri Nets, and for a 
corresponding, class of Systems called Production Schemata. Results 
on structural constraints guaranteeing global operation, and decom- 
positions of complex systems into meaningful parts, are also 
presented. 



This report reproduces a thesis of the same title submitted to 
the Department of Electrical Engineering, Massachusetts Institute 
of Technology, in partial fulfillment of the requirements for 
the degree of Master of Science, February 1972. 
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INTRODUCTION AND PREVIOUS WORK 

The subject matter of this thesis is part of what can be called 
"Systemics," or System Theory, the science that analyzes and describes 
complex systems, patterns of interaction, communication between parts 
of a system, understanding of a system by understanding its parts and 
the interrelation of parts, and the like. Operational research has been 
applied to study such systems numerically, to compare operating strate- 
gies, to optimize. But our approach is structural , i.e. we are inter- 
ested in the structural relations and dependencies of the system. Thus 
we have notions such as : 

a) Operations A and B are concurrent , that is, either can precede 
the other, they may overlap in time, and which one of the above 
situations occurs is irrelevant. In some way, A and B are 
temporally independent. 

b) Operation C must wait for both A and B to complete. 

c) Operations D and E must both wait for C, but either one ex- 
cludes the other, i.e. if D takes place, E cannot and vice 
versa. This is called a conflict situation, and related to it 
is the concept of decision (to resolve conflict) and branching. 

d) Deadlock situation: A certain operation A must wait (depends 
on results of) operations B, but operation B must wait for A: 
The system hangs up , it is in a hang-up state, or deadlocked. 

e) Unpredictability or non-determinacy : A certain operation de- 
pends on the results of either A or B, but A and B are concur- 
rent: the final result may depend on whichever occurs first. 

Petri Nets are a formal mathematical tool. They rely on a graph- 
ical representation of dependencies such as those described above, and, 
in a more general sense, are used to represent a system described by 
events whose occurrences depend on certain conditions and change those 
conditions. The notions of deadlock and unpredictability presented above 
correspond to the precisely defined properties of liveness and safeness 
of Petri Nets. 



The mathematical analysis of Petri Nets in their full generality 
has not yet been very successful, but certain restricted classes are 
now well understood. This thesis shows important results for the class 
of Free Choice Petri Nets , a subclass of Petri nets, and solves the 
deadlock and unpredictability problem for a restricted class of systems 
called Production Schemata . 

The concept of Systemics as a science is due to Holt (Information 
Systems Theory Project), who extended and applied the ideas of Petri. 
Petri Nets were introduced by Petri in his dissertation in 1962 [ 18] and 
modified to their present form by Holt in 1968 [10]. 

The idea of first studying a limited subclass of Petri Nets to ob- 
tain a better understanding of more general Petri Nets is due to 
Genrich [9], who introduced Marked Graphs to study concurrency. 

Extensive mathematical results about a subclass of Petri Nets known 
as Marked Graphs have been published by Holt and Commoner [121. In that 
publication, Marked Graphs have also been used to represent a subclass of 
Production Schemata, namely those without decision branches or conflicts. 

Research on this thesis was prompted by a comparison of Rodriguez's 
Parallel Program Graphs [19] and Marked Graphs. Both formalisms express 
the same kind of determinism, but Rodriguez's Graphs allow for branching. 
Attempts to model branching by a method as similar in structure as pos- 
sible to Marked Graphs led to the definition of Free Choice Petri Nets. 
The works of Karp and Miller [13], Muller and Bartky [14], Baer, Bovet, 
and Estrin [1 ], Slutz [21] were in different degrees relevant to research 
in the early stages of this thesis. In particular, Muller 's concept of 
semimodularity is related to the behavior of safe Petri Nets, and the al- 
gorithms of Baer, Bovet and Estrin are of interest insofar as their 
"directed acyclic bilogic graphs" are structurally the same as acyclic 
Free Choice Petri Nets. 

Among the references listed in this thesis are several other publi- 
cations about Petri Nets. These include several applications of Petri 
Nets, notably Saint and Shapiro for representing algorithms [20], and 
Dennis for representing control structures in digital computers [6]- 
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PART ONE 



Description of Petri Nets and Production Schemata 
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CHAPTER 1 
Petri Nets 

1. 1 Definition 

A Petri Net is a directed bichromatic graph with an initial marking . 
The two distinguished types of vertices are called places and 
t ransitions . A marking is a function which associates with each 
place in the Petri Net a non-negative integer, called the token 
load of that place, or the number of tokens in it. 

A simulation of a Petri Net is a sequence of firings of transitions, 
only fir able transitions may fire at any time, and a transition is 
firable if and only if all its immediate antecedent places ( input 
places ) have a positive, non-zero, load in the present marking. 
(A place with one or more tokens is marked, a place with no tokens 
is blank . ) The firing of a transition changes the marking by 
decrementing the load of each input place by one and by incrementing 
the load of each immediate successor place (output place ) by one. 

A Marking M 1 is said to be reachable from marking M if there exists 
a firing sequence which transforms marking M into M'. The marking 
class of a Petri Net is the set of all markings reachable from the 
initial marking. 

Graphically, we represent places by circles and transitions by bars . 
Dots in places represent the tokens of the marking. 



Example : 





before the firing of 
transition t. 



after the firing of 
transition t. 
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1.2 Liveness and Safeties s 

The most important properties of Petri Nets are liveness and 
safeness . 

A transition t is live at marking M if, for every marking M' that 
can be reached from M, there exists a firing sequence which fires t. 



Example : 




In this example, t.. and t„ are live, but t_ is not live, because if we 
fire t_ we reach a marking with only one token, and no firing sequence 
can possibly get two tokens back on the net, hence t, cannot be fired 
again. 

If every transition in a Petri Net is live, the Petri Net is live . 
An example of a live net is : 



=>!— 0-4 



t 1 is live because it can fire at any time: it has no blank input place. 
t„ is live because, for any marking, t-t_ is a firing sequence. 
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A place p is safe at marking M if every marking M' that can be 
reached from M has at most one token on p. 



Example : 




p, and p are safe; p is not. 

A Petri Net is safe if every place in the net is safe . 

A Petri Net is said to be live and safe , or LS, if it is both live and 
safe at the initial marking. 

In a safe Petri Net, a place is either blank or has one token. We 
can say that a place represents some condition which either holds or 
doesn't. A firing of a transition then terminates the holding of those 
conditions that enabled the transition, and begins the holding of other 
conditions: In this context, we say that an event , represented by the 
transition, occurred . 

1.3 Syntactical Subclasses 

The structure of Petri Nets in full generality, as defined above, is 
very rich, and it appears difficult to fully understand the relationships 
between the structure of the net (properties such as strongly connected , 
for example) and the behavior of the net (liveness or safeness, for ex- 
ample). Hence we approach the problem by analyzing first certain re- 
stricted subclasses of Petri nets. 
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Definitions 



Presently we distinguish the following subclasses 



- State Machines (SM) 

- Marked Graphs (MG) 

- Free Choice Petri Nets CFC) 

- Simple Petri Nets (SN) 

- Petri Nets (PN) 



proper subclasses 



We say syntactical subclasses because of the fact that whether a 
given Petri Net belongs to a subclass or not is decided by the 
local structural configuration of the Net. In short, we have: 



SM: every transition has 
exactly one input 
place and exactly 
one output place. 

MG: every place has ex- 
actly one input 
transition and ex- 
actly one output 
transition. 

FC: every arc from a place 
is either unique out- 
put of a place or uni- 
que input to a transi- 
tion. 



local 
yes 


configuration 
no 

3h 


'x 4 

R>H1 




# 


M 
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SN: every transition has 
at most one shared 
input place. 



PN: no restriction. 



yes 




no 




The following figure shows the inclusion relations among the subclasses 
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It can be seen that State Machines have the same structure as the 
familiar Finite State Automata or Sequential Machines, but uninter- 
preted in the sense that we do not associate input or output symbols 
to the transitions (state- transitions in Automata Theory language). A 
token in a place corresponds to the Sequential Machine being in the 
corresponding state, assuming there is only one token in the net. 

1.4 Mathematical Properties: A first approach to the basic concepts 

1.4.1 Overview 

The mathematical properties of Petri Nets we are most interested in 
are the relations between liveness and safeness of the Net, or 
parts of it, and structural properties such as connectedness , cov - 
ered by State Machines , decomposable into Marked Graphs ♦ 

Holt and Commoner have extensively studied the mathematics of 
State Machines and Marked Graphs [5, 12]. 

We shall focus our attention on Free Choice Nets. The most 

important result is a Theorem that states necessary and sufficient 

conditions for the existence of a live and safe marking in a Free 
Choice Petri Net. 

To date, Free Choice Petri Nets are the largest class of 
Petri Nets for which such necessary and sufficient conditions are 
known. 

1.4.2 Liveness and Safeness in Free Choice Petri Nets 

Important preliminary contributions to this topic are due to 
Fred Commoner, and include the definition of Traps and Deadlocks, 
as well as a Necessary and Sufficient Condition for Liveness of 
Free Choice Petri Nets. 
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A Deadlock is a set of places in a Petri Net such that every 
transition which puts a token on some place in the set re- 
quires at least one token from some place in the set. This 
implies that if a deadlock is blank (i.e. contains no tokens), 
it will remain blank for every possible firing sequence. This 
is intuitively bad for liveness, since every transition having 
an input place in a blank deadlock will have no chance of firing 



Example : 




The bold face places 
form a deadlock. 



Note that a deadlock in the Petri Net sense is a deadlock in 
the usual sense only if it is blank; potential deadlock might 
be a better name for the deadlocks defined above. 

A Trap is a set of places such that every transition which takes 
a token from the set puts at least one token back into the set. 
Hence once a Trap is marked , i.e. contains at least one token, 
it will always be marked, no matter what firing sequences take 
place . 

Note that if a Deadlock contains a marked Trap, it will never 
become blank, and the threat to liveness described before does 
not exist: This is the "good" situation. 
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Example of a Trap (bold face) 




Traps and Deadlocks are not exclusive: For example, 

every strongly connected Petri Net is both a Trap and a Deadlock. 

Commoner has proved that a Free Choice Petri Net is live if and 
only if every Deadlock contains a marked Trap [ 4 ] . 

. Consistent Subnets: Open and Closed 

A Subnet of a Petri Net is defined like a subgraph in Graph 
Theory [2], i.e. as a subset of vertices (places and/or tran- 
sitions) and the arc relation restricted to the vertices of the 
subset. 

Traps and Deadlocks are -- strictly speaking — subnets by them- 
selves, but such a collection of places without the transitions 
that are connected to them is not very meaningful by itself. 
Thus we introduce the concept of a Consistent Subnet . 

. A Consistent Subnet of a given Petri Net is 

either: a subnet consisting of a set of places and all transi- 
tions pointing to or from these places, called a 
Closed Consistent Subnet . 

or: a subnet consisting of a set of transitions and all 
places pointing to or from these transitions, called 
an Open Consistent Subnet . 
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The distinction between Closed and Open comes from the fact that 
one type is connected to the rest of the net by sharing certain 
transitions, and the other by sharing certain places. We assume 
a place is more "open" than a transition hence an Open subnet 
has an "open" boundary of places, and a Closed subnet has a 
"closed" boundary of transitions. 

Deadlocks and Traps can be conveniently viewed as Closed Consis- 
tent Subgraphs, because they are defined as a set of places. We 
shall henceforth take this point of view. 

The union of Consistent Subnets is defined in the obvious way, 
so is the Covering of a Petri Net by a set of Consistent Subnets. 
Unless the Petri Net is very peculiar (having transitions without 
any input nor output places for example), if the union of the 
places of Closed Subnets is the set of all places of the Petri 
Net, the union of the Subnets is the whole Petri Net. In this 
sense we can speak of a Petri Net being covered by State Machines 
or by Marked Graphs . 

Let a minimal Deadlock be a Deadlock that does not properly con- 
tain any non-empty deadlock. 

We shall prove that a Free Choice Petri Net has a live and safe 
marking if and only if it is covered by strongly connected State 
Machines and every minimal Deadlock is a strongly connected 
State Machine. 



This empty page was substituted for a 
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CHAPTER 2 
Production Schemata 



2. 1 Flow of Control and Flow of Objects 

In the introduction we described Systems in very general terms. 
We spoke of operations and dependencies of events on each other. One 
way to describe dependencies dynamically is to speak in terms of flow . 
We may, in general, speak of two sorts of flow: flow of control and 
flow of ob jects . 

Flow of control often has a very complex structure because it 
describes situations such as gathering information in different parts of 
the system and directing one course of action instead of another. To 
model flow of control by Petri Nets, we need at least the structural com- 
plexity of Simple Nets. 

Flow of objects, on the other hand, can be represented and analyzed 
by Free Choice Nets. We describe flow of objects in a System by Produc - 
tion Schemata . 

2.2 Definition of Production Schemata: Conjunctive Elements 

A Production Schema is a model for representing the flow of objects 
in a System. It describes operations on objects, and branching or 
merging of flow. 

An assembly operation takes as inputs all the parts needed to as- 
semble an object: The operation takes place only when all inputs have 
arrived; there is one path of flow per object. 




u/ 




before assembly 



after assembly 
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We also have a disassembly operation: 




Y 




before disassembly 



after disassembly 



In a more general sense, we have operations with several inputs and 
several outputs : 





be fore 



after 



These operations are described by conjunctive nodes because input 
flow and output flow are conjunctive: all input objects are needed to 
initiate the operation, and all output objects are produced each time 
the operation terminates. 

Before we present more elements of Production Schemata, we shall 
emphasize two points: Timing , and accumulation of several objects in 
one place (input arc to an operation, for example). 
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Timing, in the usual sense of a description of the upper and lower 
bounds of delays, is a "bad word" in our context. We wish to represent 
all constraints structurally in our model. This means that if a certain 
system contains timing constraints, these will show up as structural con- 
straints in the model which is itself strictly asynchronous . This is 
possible because we can model the flow of metered time by a "clock," a 
certain event which happens, by definition , every t seconds. The struc- 
ture of the model is then such that if a certain event must (by specifi- 
cation) occur between, say, the a tick (since some time origin) and the 
b 1 " tick, that event depends (structurally) on the a tick, but the b 
tick depends on it. This way we can model situations like: "If item A 
has not been used after four hours, discard it." 

Had we chosen a synchronous model, with metered time, it would be 
very difficult indeed to represent asynchronous systems, and the cause 
and effect relationship among events. Moreover, it seems that even in 
the case of synchronous systems, we gain more insight into the system by 
explicitly representing all constraints on the events in the system in an 
asynchronous model. 

Now consider the following situation: 




Operation C gets its inputs from A and B. One object, a, has arrived 
from A, and C is now waiting for an object from B to proceed. But before 
this happens, A produces another object, a'- 
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finally, B pro- 
duces object p. 



Now, should C use cy and |3, or cf' and p ? If a and a 1 were undistinguish- 
able it would not matter, but we intend to keep our model as general and 
uninterpreted as possible and must assume that all objects are distin- 
guishable (cf "free interpretation" in program schemata [15]). We could 
require the link to preserve order (and hence mate p to a), but this can 
be modeled independently by a pipeline , which we shall introduce below. 
We therefore let this situation be undesirable, i.e. express a malfunction 
of the system , and shall analyze it as such. It reminds us of course of 
unsafeness in Petri Nets, and, in most systems, can be thought of as a 
malfunction leading to unpredictability and non-de terminacy . 

To represent a system where one part may produce at times more ob- 
jects than are consumed by another, we need a buffer , or pipeline, and 
usually the capacity is specified; in particular we do not expect infin- 
ite queues. Then, a pipeline that can hold up to, say, 4 items and de- 
liver them in order, can be represented by the following arrangement, 
which works like a bucket brigade: 
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We have 4 cells. Each cell either contains an object on the top link, 
or a message on the bottom link. The message says actually two things, 
depending on the point of view: "Ready to receive another object," and 
"Previous object has just been delivered." These messages constitute 
what Holt calls "backflow" in Marked Graph models for Production Facili- 
ties [12] . It is of course debatable whether we should consider this 
flow of messages as flow of objects rather than flow of control; but in 
some systems all objects might effectively be messages, and, more im- 
portantly, we may consider a warehouse as an operation taking as input 
an order form, and giving the requested object as output. This approach 
obviates the need for special input or output nodes : An input node is an 
operation which produces an object upon receiving a request, and an out- 
put node is an operation which produces a receipt, or acknowledgement , 
upon delivering to the "outside world" an object received as input. The 
important fact is that such messages are treated in a strictly local man- 
ner, just like other objects, and only the producing and receiving op- 
erations are "aware" of its existence, as opposed to control information 
described in 2.1. 

So far, we have described exactly the same class of Systems as have 
been represented by Marked Graphs in "Events and Conditions," by Holt and 
Commoner [12]. We present next those elements which introduce decisions, 
switches, and permit the representation of a larger class of Systems. 

2.3 Definition of Production Schemata: Disjunctive Elements 

If we want to represent a situation where an object produced by A 
flows either to B or to C, depending on circumstances (nature of the ob- 
ject, for instance), we need a new element whose outputs are dis junctive : 
It acts as a switch: 
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before 



after 



Also, if a certain operation gets its inputs from exactly one of 
several possible sources, we need an element with disjunctive input, 
sort of a reverse switch, or collector: 





after 
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Of course, nothing a priori forbids us to consider a more general form 
of a switch: 





before 



after 



These elements differ from operation elements by the fact that: 

- they have disjunctive input and output , 

- there is only one object flowing through at a time, 

- the object flows through unchanged. 

In particular, this means that the following transformation cannot take 
place in one step. 





phase 1 



step 1 
(incorrect) 



phase 2 
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Instead, it involves two steps, which can occur in either order: 



4 



& 





step 1 



step 2 



phase 1 



phase 2 



phase 3 



But we could also have the following: (and in the free interpretation 
we must consider this along with all other possibilities). 






unsafe 



This leads to a situation we chose to consider a malfunction , possibly 
leading to non-de terminacy . One of the objectives of this thesis is to 
guarantee structures such that if a collector element receives an object 
on one input, no object can possibly show up on any other input until 
the first object has been delivered to the next element following the 
collector. 

We shall conclude this section by giving an example of a structure 
leading to deadlock, a structure leading to unsafeness, and an example of 
a structure without malfunctions. 
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A 



FT 



Example 1 : Two paths, originating 
conjunctively and joining dis- 
junctively, create possible un- 
safeness at the input to B. 





Example 2 : Two paths, originating 
disjunctively and joining conjunc- 
tively can lead to hang -up on A: 
If all objects are switched down 
the left path, the right input 
will never get an object, and A 
cannot operate. 
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Ex ample of a Well -Formed Production Schema. 



r 



^ 



separatox 



activity 
restorer 




catalyst 



not 
concentrated 




concen- 
trated 
solution 



*r\ 



catalysis 



:oncen- 
trate 




z 



recover 
catalyst 



restore 
activity 



7 



autput th€ 
result 



input 2 
chemicals 




mixer 



^A"V^/ 



test for correct composition 
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2.4 Representing Production Schemata by Petri Nets 

At this point, the reader has certainly noticed the similarity be- 
tween objects and tokens . operations and transitions , links between 
elements and one-input-one-output places , and disjunctive elements and 
multiple arc places . The correspondence is straightforward: 



L> 



a) 



r\ 




b) 





Production Schema 



Petri Net 
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Production Schema 



Petri Net 






We note that, in Production Schemata, objects (tokens) are on the 
links, but in the Petri Net, tokens are always on places. This is es- 
pecially illustrated in example d). There are two Petri Net firings as- 
sociated with the switch (or collector) element, and there seems to be 
an intermediate step where the object is "inside" the switch. This is 
perfectly acceptable, and the switch or collector element could well 



-33- 



have been defined that way. We could also model an operation as fol- 
lows, if we wish: 




^P 




1 initiate operation 



operation in progress 



dh 



terminate 



Semantically, this is even quite attractive, but it does not in any way 
change the structure of dependencies that we wish to analyze. 

On occasion, we might wish to contract the representation of the 
switch or collector element: 
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We could even go one step further, though it may be questionable on 
semantic grounds: 




/> 



But in no case can we suppress the "auxiliary" transition a and place 8, 
because this would make the structure essentially different. As long as 
a and B are there, a token can be switched towards D and, after that, 
will have to wait for D to receive its other input, and fire. If, how- 
ever, we remove a and p, the token could at any time be "stolen" or 
leaked away towards C; the switching decision would not be necessarily 
final as in the original net. This distinction is fundamental to the 
concept of Free Choice Petri Nets : 

Every Production Schema can be represented by a Free Choice 
Petri Net. 



Conversely, every Free Choice Petri Net represents a Production 
Schema, if we allow contractions as discussed above. 
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The desirable properties for a Production Schema are: 
determinacy. predictability- 
no hang-up states under any conditions of operation. 

The first property has been associated with unsafeness in Petri Nets by 
definition of our formalism, the second property is clearly related to 
liveness in the representing Petri Net. We therefore define: 

A Well-Formed Production Schema is a Production Schema rep- 
resented by a Live and Safe Free Choice Petri Net . 



This empty page was substituted for a 
blank page in the original document. 
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PART TWO 



Mathematical Analysis of Free Choice Petri Nets 
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CHAPTER 3 
Formal Definitions and Notation 

This chapter provides the formalism for the concepts introduced in 
Chapter 1. 

3.1 Petri Nets 

Definition : A Petri Net is a triple (II, S, ) where 

II is a non-empty set of places 

T. is a non-empty set of transitions 

is a relation; it corresponds to the arcs in the 
directed bichromatic graph; the set of vertices is HUE- 
We have: • £ (I! X l) U fe X II) 

Notation : (x, y^ 6 • is written as x-y 

{y]x-y} is written as x" 

(y|yx} is written as 'x 

We also apply the dot notation to designate the successor 
set of a set of places or transitions. 
Example: P c II P" = {x|3y € P and yx) 

Def . A Marking is a function M : II -> IN (non-negative integers) 

Def . A Firing is a partial function from markings to markings. 

There is a firing associated with every transition t 6 v; 
t is said to be firable if its firing function is defined 
at the given marking M of the net, and the firing yields 
marking M' . We write this: M[t>M'. The firing associated 
with t € £ is such that: 

Vp € 't - t - M' (p) = M(p) - ll 

Yp £ t' - "t M 1 (p) = M(p) + 1> defined only if: 

Vpf'tn f M'(p) = M(p) \ VP e 't M(p) > o 
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Def . A firing sequence a is a string over transition names and, 
as a function over markings, the composition of the firings 
of the transitions in the order they appear in the string. 

We shall say t € a if t is fired at least once in <j. We 
say that M leads to M' via CT , and write M[0>M', or 
M 1 = Mtcr> if ct, as a partial function, is defined for M. 
The set of firing sequences is denoted by £*. 

Def . The forward Marking Class M of a marking M is the set of 

markings which can be reached from M via some firing sequence 

M = {M' | 3ct € E* and M[ CT >M' } 

The concepts of liveness and safeness are defined as follows for Petri 
Nets: 

Def . A transition t is live in a given marking if and only if for 
every marking in the marking class there exists a firing se- 
quence which fires that transition. 

t6E live at M « (VM' €M)(3j €£*) such that: 

M' [a> exists (i.e. a, as a function, is 
defined at M') and t € a. 

Def. A marking is live if and only if every transition is live at 
that marking. 

Def . A place p is safe if and only if for every marking in the 
given marking class the load on p is not greater than one. 

p € n safe at M « VM' 6 M M' (p) <: 1 

Def . A marking is safe if and only if every place is safe at that 
marking . 

Corollary : If a transition is live at marking M, it is live at any 

M' € M. If a place is safe at marking M, it is safe at any 

m 1 e M. 
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Def . A subnet of a Petri Net (II, E, "> is a Petri Net 
(II ' , E ' , °> such that : H' cfi 

E' £ E 

(o is the restriction of ■ ) o = • fl (II ' X E ' U E ' X II ' ) 

Short notation for a Petri Net (II, E, "> : (II, E> 
This can be used whenever • is clear from context. Thus, if we 
say that (II 1 , E.'^ is a subnet of (n, T.7, it is understood that the 
arc relation for (II 1 , E'^ is the restriction of the relation for 
(H, E>to the set of vertices II 1 U £'. 

Example : (H, E, •> where: 

n = {p , p 13 p 2 » p 3 ) 

e = {t v t 2 ) 

• = C<p , t 1 >, (p o , t 2 >, <tj, p x >, <t 1 , p 2 >, <t 2 , p 3 >} 




expressed as : p • t, 
o 1 



h ' p i 



P o ■ 4 



etc. 



also : 



pen, t e e 



p" = (t|p • t} 
> = (tjt • p} 
f = { P |t • P } 

if P en, then P" = {t|s p £ P and p • t} 
Hence, in example above: 

(t 1 ,t 2 )' = {p 1 , p 2 , p 3 ) 



P ; = (t 15 t 2 } 
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3.2 Formal Definition of the Subclasses 

Definition ; A State Machine (SM) is a Petri Net (H, E, •> 
such that: Vt € E |*tj = |t'| = 1. 
(JA|, where A is a set, is the cardinality of the 
set A). In other words, each transition has exactly 
one input place and one output place. (cf Chapter 1) 

Definition : A Marked Graph (MG) is a Petri Net (II, E, •> 
such that: Vp € II: |'p| = |p' j = 1 

Definition : A Free Choice Petri Net (FC) is a Petri Net <n, E, •> 
such that: (vp €n) (Vt 6e) : p.t => p' = {t} or *t - {p}, 
i.e. an arc from a place £ to a transition t either is 
the unique output arc of £ or the unique input arc to 
t.. 

3.3 Traps and Deadlocks 

In a Petri Net (II, £>, 

Definition : A Trap is a subset of places Ten such that T* £ "T, 
i.e. every transition having an input place in T must 
have an output place in T. 

Definition : In a Petri Net (n, E> a Deadlock is a subset of places 
D C II such that *D £ D* , i.e. every transition having 
an output place in D must have an input place in D. 

In a strongly connected Petri Net <n, £>, it is clear that we have 
"II = II" = S, hence it is both a trap and a deadlock. 

Terminology : a set of places P c n in a Petri Net <II, £> with 
marking M is said to be 

- blank , if no place contains a token: Vp€P: M(p)=0 

- marked, if some place contains a token: 3p € P: M(p) 2: 1 

- empty , if it is the empty set: P = 
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CHAPTER 4 
Necessary and Sufficient Conditions for Liveness and 
Safeness in Free Choice Petri Nets 



4. 1 Commoner's Liveness Theorem 

Commoner solved the problem of deciding whether a given marking in 
a Free Choice Petri Net is live by proving that a necessary and suffi- 
cient condition for liveness is that every deadlock contain a marked 
trap. The proof we give here follows very closely the original proof 
of the theorem. 

4.1.1 Sufficiency Condition 

First, we prove the sufficiency condition, namely that if every 
deadlock contains a marked trap, then the marking is live. Lemma 1 
establishes the influence of blank deadlocks on possible firings, and 
can be regarded as a mere technical preliminary to Lemma 2. Lemma 2 is 
phrased in a way as to directly lead to a proof by induction on the size 
of a subset of transitions. If the subset includes all transitions, 
Lemma 1 is applicable and provides the basis for the inductive proof. 
If the subset contains only one transition, the lemma expresses a suf- 
ficient liveness condition for that transition. Theorem 1, the suffi- 
ciency condition for liveness in Free Choice nets, follows immediately 
from Lemma 2. 

Lemma 1 : In a Petri Net (II, E), let M c IT be the set of blank places, 

+ o + 

and M c: j[ be the set of marked places (II = M U M ). 

Let W c •£ be a subset of transitions. 

Then ' ('W fl M ) c W => either : some t firable in W 

(i.e. £t £ W: 't c M ) 

or: ^ blank deadlock D: W c D' 
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Proof : Assume no t firable in W: -i(3t € W and "t Q M + ) 

i . e : Vt (t (f W or * t £ M + ) 
then we get Yt : t 6 W => 't n M° jt 

Vt: t € W =» t € Ct n M°)' 
hence W c ("W n M°)' 



But 



Example : 



("W n M°) c W by hypothesis: (*W fl ^) is a 

blank deadlock. 




Tw n m°) = {t 3 , t 4 ) 

5 blank deadlock: {p_, p } 



Lemma 2 : In a Free Choice Petri Net (II, £>, with marking M, let W c £ 
be a subset of transitions such that no firing sequence fires 
any transition in W. Then there exists a marking M 1 reach- 
able from M such that there is a blank deadlock D £ M'° and 

W c D*. 



-45- 



Proof: By induction on the size of (£ - W) . 

Basis : JE - w| =0 

Then W = £. Since Z is the set of all transitions in the net, 
'('W H M ) s W is trivially true. Therefore Lemma 1 applies 
directly to show that, if no transition can be fired in W, 
there must be a blank deadlock D such that W £ D" . 



Inductive Stei 



W > 



Let the initial marking be M = M. We shall construct a 

firing sequence leading successively to the markings 

M , M_, . . .M. , . . .M 1 such that, at M 1 , we have a blank deadlock 



M' 



and W c D". 



a) We shall show that no firing sequence fires any 

transition in ('W)'. For suppose there is a transition t £ W 

and a place p„ € ' t such that some transition t, £ p" can be 
o o 1 o 

fired by some firing sequence. Since no firing sequence fires 
t Q by hypothesis, we must have t, € p ' - W ; 




places 



transitions 
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But then p Q has several output transitions, and by the Free 
Choice hypothesis, if t 1 can be fired t Q can also be fired, 
which contradicts the hypothesis that no firing sequence 
fires any transition in W: 

• No firing sequence fires any transition in ('W)". 
b) Let the present marking be M . . There are two cases: 
Case 1 : '('W n M°) c W 




places 



transitions 



In this case Lemma 1 applies. Since^ by hypothesis, no firing 
sequence fires in W, there must be a blank deadlock 
D = * ("W n M?) 3uch that W c D* , which proves Lemma 2 with 
M 1 = M.. 
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Cw n m. ) 



places 



transitions 



There are two subcases : 

Case 2.1 : No firing sequence fires t. 

Then, let W ' = W U { t } . No firing sequence fires any transi- 
tion in W'. But \y, - W' | = ]e " WJ - 1: By the inductive 
hypothesis, there must exist a firing sequence a leading to 
a marking M' = M. [<j) such that there is a blank deadlock 
D Q M' and W' c D* . Then, since W £ W 1 , we have proved 
Lemma 2 with marking M' and deadlock D. 



Case 2.2 : There exists a firing sequence a which fires t. 
Let M ... = M. [a) . Since, because of a), c does not fire any 
transition in ('W)', we have: ('WTM. ) C ('WPiM. .). Then, 
since t fires into "W P, M. and CT does not fire in (*W)", we 
have : |"Wfl M° j < | "W (1 M° | . 

We repeat the argument at marking M ... . Since, each time we 
have to apply case 2.2, the size of ("W DM.) decreases, we 



must eventually terminate at case 1 or case 2.1. 



q.e .d. 
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Cw n m£) 



Cw n m?)' 



cw n m° +1 )' 



Case 2.2 
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From Lemma 2 we deduce that if no deadlock can ever be blank, there 
must always be a firing sequence that fires any given transition. 
(Take W = {t}). But if a deadlock contains a marked trap, since the 
trap will always contain at least one token, the deadlock cannot be- 
come b lank : 

Theorem 1 . If in a FC net every deadlock contains a marked trap , then 
the net is live . 
(Sufficient condition for liveness) 

4.1.2 Necessary Condition . 

We want to prove that in a live FC net, every deadlock must contain 
a marked trap, i.e. if the maximal trap in some deadlock is blank, there 
must exist a killing sequence , that is, a firing sequence leading to a 
marking where some transition can never be fired again. 

Such a killing sequence can be obtained by making a certain choice 
ahead of time of the exit of multiple-output places : This selection is 
called an allocation . More precisely, we shall define an allocation on 
a set of places as a function which associates exactly one of the place's 
output transitions with the place. An allocation is circuit-free if 
there is no closed path through allocated transitions only. 

Definition : 

• An allocation A on a set of places S is a function: 

A: S-tS" 
such that Vp € S : A(p) € p" 

• An allocation A is circuit-free if there does not exist a path 

p , t , p n , t, , . . . p , t of places and transitions such that: 
r o' o' r l' 1' r n* n r 

A(p.) = t. p € t: P € f 
l l l+l l on 

• The set of allocated transitions is (tJ3p € S and t = A(p)}, 
denoted by A(S) 
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• The set of excluded transitions is 

ft € S'jVp € *t p 6 S =» t t A(p)} 
denoted by A(S) 

Note that A(S) fl A(S) = 
A(S) U A(S) = S' 
Hence A(S) = S* - A(S) 

The objective of the proof is to show that if some deadlock contains a 
blank trap, we can construct a killing sequence that does not put a 
token on the trap. First, we show the existence of an allocation that 
prevents the trap from getting a token, then we prove that this alloca- 
tion permits us to kill the net. 

Lemma 3 : Given a set of places Q c II and the maximal trap T in Q, there 
is a circuit-free allocation A: (Q - T) -» (Q - T)* of Q - T 
that does not allocate into the trap, i.e.: 

Vp€ (Q-T) :A(p)g *T, or: A(Q-T)n*T = 

The maximal trap is the largest trap, or the union of all traps, in Q. 
It may be the empty trap, i.e. there may be no trap in Q. 

Proof : By induction on |Q - TJ. 

if Q = T, the empty allocation -♦ satisfies the conditions 
trivially. 

• assume |Q - Tl > 0: 3p € Q - T^ 

\ t- n q = 

since p is not in the maximal trap. 

Hence, T is the maximal trap in Q* = Q - {p Q } . By inductive 
hypothesis there exists a circuit- free allocation A' of Q 1 - T 
such that 

A'(Q' - T) n *T = 
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Let A : (Q - T) -* (Q - T)" be the allocation whose restric- 
tion to Q 1 - T is A' , and which assigns t to p : 

o o 

YP e Q - T: p ?4 p => A(p) = A' (p) 



o 



p = P o =* A(p) = t Q 



A(Q - T) = A'(Q' " T) U ft } 

o 

Since A 1 (Q ' - T) fl 'T = 

and t'nQ = => t g "T 

o o 

we have A(Q - T) n "T = 

A does not allocate into T . Now suppose A is not circuit- 
free. Then, since A' is circuit-free, any circuit of A must 

contain the arc p • t . But t ' H Q = : the arc p • t 

o o o F o o 

is not part of any circuit in Q , hence in Q - T . 

Allocation A satisfies the conditions of Lemma 3. 

q.e .d. 

Lemma i : If the maximal trap T in any deadlock D of a Free Choice net 
is blank, there exists a firing sequence which leads to a 
marking where no transition of D" is live. 

Proof: Let A : (D - T) -» (D - T) - be a circuit-free allocation of 

D - T such that A(D - T) fl ' T = . Such an allocation exists 
by Lemma 3 . 

Let us call a firing sequence that does not fire any ex- 
cluded transitions an A-sequence : 

a is an A-sequence » yt £ a t £ A(D - T) 
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Then: - no A- sequence puts tokens on T: T remains blank 
(A does not allocate into T and D is deadlock). 

- no A-sequence fires in (D - T)* - A(D - T) 
[excluded transitions A(D - T) J 

- no A-sequence fires in T" since T remains blank. 

hence : no A-sequence fires in T" U K D - T) * - A(D - T)] . 
Let B be a set of places in D-T: BcD-T. 

claim : The only firings in an A-sequence that put tokens on 
B are those that fire in A(D - T) : 

For B to receive a token, the sequence must fire in 
"B . But B c D and "D £ D" , hence "BCD". Since T £ D 
we have : D* = (D - T)" U T' . 



Hence 



"B c T' (J (D ~ T)" 



But an A-sequence does not fire in T* (J ((D - T)" - A(D - T)) , 

hence any firing of an A-sequence in *B must be in A(D - T) . 

Now let B ={p € D - T\t p' € D-T: p € (A(p'))*}, 

i.e. B is the set of "heads" of the circuit-free allocation, 
o 

Since *B A(D - T) = by construction, no A-sequence puts 

tokens on B , hence there is a bound on the number of times 
o ' 

any A-sequence can fire in B* . 

Now let B 1+1 = {p € D-TJtf p' € (D - T) - B ± :p € (A(p'))"}. 

Assume t € *B - fl A(D - T) 

Then, we have: gp € B - : p € t* 



3p* € D - T :t = A(p') 



This implies 



p e (A(p'»' 
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Hence, by the definition of B. • 

l+l 

p' £ (D - T) - B. 

This implies that every such t must be in B.. 

Hence: 'B H A(D - T) c; A(B.) 

We know that any A-sequence can fire only a bounded number of 

times in B" . Assume (inductive hypothesis) that any A- 

sequence can fire only a bounded number of times in B! . It 

follows from 'B. 1 H A(D - T) c A(B.) that any A-sequence can 

put only a bounded number of tokens (cumulatively) on B , , and 

hence can fire only a bounded number of times in B. , ' . 

l+l 

Now, we show that B. c B. -, . 

l l+l 

Assume B. £ B. , • There must be a place p € D - T such that: 
i l+l 

p I B , i.e.: H P Q G (D - T) - B : p € (A(p q ))* 
P G B., i.e.: t p' G (D - T) - B._ 1 : p G (A(p'))- 

Hence, we must have: p (_ B. 

o 1 

P € B. . 
r o 1-1 

That is to say: B. ., £ B. 

l-l l 



By repeating the argument for decreasing values of i, we get: 

B. £ B. ,, =» B £ B, 
1 1+1 o 1 

But this leads to a contradiction: There must be a place 
p G D - T such that : 

p £ B ] _, i.e.: 3 Pq G (D - T) - B q : p G (A(p o ))' 
pGB.i.e.: £p ! GD-T :pG(A(p'))' 



which implies both p G D - T and p £ D - T. 
This permits us to rewrite the definition of B. as : 
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B i+l =B i U f P e (D-T)-B i |a P » € (D-T)-B i :p € (A(p'))*) 



Then B 



i+1 



B ± = « 



(D - T) - B. = or 
Vp € (D - T> - B i 3p» € (D-T)-B.:p6 (Ap')) 



But the second alternative is impossible since A is circuit-free. 
Hence, since B. c B. . c D - T 

Vl - B i « B. = D - T 

This implies that the sequence B. grows strictly until it covers 

all of D-T. In particular, D - T is some B. , and hence, by induction: 

Any A-sequence can fire only a bounded number of times in (D - T)" . 
Since no A-sequence fires in T' , and (D - T)' U T* = D* , we have: 

There is an upper bound on the number of times any A-sequence can 
fire in D' . Hence, there exists an A-sequence which leads to a 
marking M such that no A-sequence starting at M can fire in D'. 




The circuit-free allocation is shown in bold. 
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So far, we have not used the Free-Choice Hypothesis. Now we 
show that, in a Free-Choice net, every firing sequence starting at 
M is an A-sequence, and hence does not fire in D". 

Assume there is a firing sequence CT t that starts at M and is 

not an A-sequence, but q _is an A-sequence, i.e. <jt is the shortest 

non-A-sequence from marking M. Hence, we must have p £ 't such 

o 

that : 

p e D - T 

A(p) = t x / t Q 

But then, by Free-Choice hypothesis: 't = (p} 

•t 1 = {p} 

and (t Q firable at M[o7) => (^ firable at M[ CT » . But crt, is an 
A-sequence and t 6 D' : this contradicts our hypothesis that no 
A-sequence starting at M can fire in D' . 
This proves Lemma 4. 

Lemma 4 immediately implies : 

Theorem 2 : If a Free Choice net is live , every deadlock contains a 
marked trap. 

Proof : If some deadlock does not contain a marked trap, its maximal 
trap must be blank: apply Lemma 4. 

From Theorems 1 and 2 follows 

Commoner's Liveness Theorem : A Free-Choice Net is live if and only if 
(Theorem 3) every deadlock contains a marked trap. 
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4-2 Safeness; Live-and-Safe Markings 

For our purposes, it is not very interesting to study safeness in 
non-live nets. For example, ewsery Petri Net that has no zero- 
input transitions has at least one safe marking; The blank marking. 
Hence, the concept of Live-and-Safe is studied rather than safeness for 
its own sake. 

4.2.1 Definition of a Covering of a Petri Net 

Deadlocks and traps have been defined as sets of places. However, 
we also use sets of transitions associated with such sets of places, both 
in the definition "D c D* and in applications: cf. proofs seen so far. 
So, we define the concept of a consistent subnet defined by a set of 
places Q : 

Definition: A consistent subnet of a Petri Net <n, S> defined by a set 
of places Qcn is the Petri Net <Q, 'Q U Q*>, i.e. the net 
consisting of Q and all transitions directly connected to Q. 




Original net 




Consistent Subnet Ut 
defined by [p 2 ,p 3 } 4 



We also define the union of two consistent subnets defined by Q c n 
and Q' c II as the consistent subnet defined by Q U Q'. 
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Definition: A Petri Net is covered by a collection of consistent sub- 
nets if the union of these consistent subnets over the col- 
lection is the whole net, or equivalently, if every place 
is in some consistent subnet of the collection. 

We say that these subnets form a covering of the original net. 
Note that if Q is 



a deadlock, it's consistent subnet is (Q, Q"> 
a trap, it's consistent subnet is <Q, *Q>. 

4.2.2 A Necessary Condition for a Live-and-Safe Marking in a Free 
Choice Net 

The prototype of a live and safe net is a net where there is always 
only one token. Strongly connected State Machines, where every transition 
has exactly one input and one output place, have such one-token live and 
safe markings. We will show that the concept of one-token Strongly 
Connected State Machine ( SCSM ) is central to the discussion of Live and 
Safe Free Choice Nets. 

We shall first prove that if a Free Choice Net is live and safe, 
there must exist a covering of one-token SCSM's. 

First we note that if the net is live and safe at marking M, the 
marking M 1 obtained by removing one token from M is not live. For if it 
were, we could get another stone on the place where the previous stone 
was removed, and hence the marking M would have been unsafe. (We must 
exclude here nets that have isolated places, i.e. not connected to any 
transition, this should not be a severe restriction however.) 

Theorem 4 : If a Free-Choice net is Live and Safe , there is a covering 
by one- token Strongly Connected State Machines: 
LSFC => covered by one-token SCSM's. 

Proof: a) Live and Free Choice => every deadlock contains a marked 
trap. 

Live and Safe : If we take one token away, the net is 
non-live, and some deadlock has a blank maximal trap. 
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(We need both the necessary and sufficient condition for liveness.) 

Hence : LSFC =* every token is the unique token of the maximal trap in 
some deadlock. 

b) Suppose such a deadlock is not minimal. Then the token of 
the maximal trap will be in the maximal trap of some smaller 
deadlock. (There is only one token available, every dead- 
lock must contain a marked maximal trap, and the maximal 
trap of the smaller deadlock is contained in the maximal 
trap of the containing deadlock. ) 

Hence : LSFC => Every token is the unique token of the maximal trap in 
some minimal Deadlock. 

c) In a FC net, the consistent subnet defined by a minimal 
deadlock ^oes not contain a transition with more than two 
input places. If there were such a transition, its input 

V^JLj ^_ places would have no other output transition (Free Choice). 
^vilvy But then we could take away all but one input place and 
^"^ still have a deadlock: The deadlock was not minimal. 

Therefore, the number of tokens in the maximal trap of a 
minimal deadlock in a FC net may not decrease by any firing 
sequence . 



<*§ 



d) Now suppose the consistent subnet defined by the maximal 
trap in the minimal deadlock has a transition with two 
output places. If the net is live, every firing of this 
transition increases the number of tokens on the trap. But 
it cannot decrease: unbounded, hence unsafe. 



Hence : The maximal trap in a minimal deadlock of a live and safe Free- 
Choice Net defines a State Machine as consistent subnet. 

_^e) Suppose the maximal trap is not a deadlock itself. There 
| I tT) \ must be a transition which puts a token on the trap without 
I trap/ taking one away, hence liveness implies unsafeness, as above. 
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Hence: LSFC => every minimal deadlock is a trap and defines a State 
Machine. 

f) Suppose a minimal deadlock that is a non-strong ly connected 
State Machine : 





But then, if AB is a deadlock, so is A, hence AB cannot be 
minimal. 

LSFC =* every minimal deadlock defines a SCSM. 

g) From b) and f ) it follows that every token is the unique token 
in a SCSM. But the net is assumed to be live: any place can 
hold a token at some time. (We exclude nets with isolated places.) 

Hence: LSFC => covered by one- token SCSM's. 

q.e.d. 

4.2.3 Sufficiency Condition for Safeness in a Live Free Choice Net . 

Now we wish to prove that a one-token SCSM covering is sufficient 
for safety, and derive a necessary and sufficient condition for live- 
and-safeness of a Free Choice net. 

Lemma 5 : In a Free Choice net that does not have a live and safe 

marking, every live marking is unbounded (some place col- 
lects an unbounded number of tokens). 

Proof : By hypothesis, every live marking is unsafe. From the live- 
ness theorem we know that if a marking M is live, so is the 
marking M 1 = M P, 1 obtained by removing, from every place, every 
token except one : Every trap remains marked. 
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Let M be a live marking, hence unsafe. We shall fire until 
we reach a marking M 1 € M where some place has more than one 
token. We now paint, in every place, every token red except 
one, and pledge not to move the red tokens anymore. We con- 
tinue firing with the non-painted tokens, effectively we fire 

now in M n where M, = M 1 f] 1. 
J. I o 

Since M 1 is live, it is unsafe; fire until M' where some 

place contains more than one token, paint some tokens red, 

continue firing in M 2 where ^ = M| n 1, etc. At each step, 

the number of red tokens strictly increases . But our pledge 

not to move them is perfectly consistent with the firing rule 

in M q , any marking in M. together with all red tokens ac- 

cumulated so far is a marking in M : M is unbounded: there 

o o ^ 

is no bound on the number of tokens in the markings of M . 

q.e.d. 



The above lemma only depends on the fact that liveness is deter- 
mined by places having tokens or not, in contrast to having a specific 
number of tokens. This property holds for FC nets but not for more 
general nets : 



This net is live 
for one or more to 
kens at place p . 
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But it is false for the following net: 
Pi 




No live marking is safe, but 
the marking M(p ) = 2 

M(p 2 ) = 1 
is live , unsafe , bounded . 

But removing one token 
from p kills the net . 
Surprisingly, adding one 
token to p also kills the 
net! 



4 .3 The Live-and-Safeness Theorem 

Theorem 5 : If a Free Choice net is covered by Strongly Connected State 
Machines and has a live marking, it has a live and safe 
marking. 

Proof : The number of tokens on any of the covering SCSM's is constant 
for all firing sequences. Hence an upper bound for the number 
of tokens is the sum of the number of tokens over all covering 
SCSM's. (If a token is shared among several covering SCSM's, 
it is counted several times.) But then, by lemma 5, if there 
is a live marking there must be a live and safe marking. 



q.e .d. 



From the proof of Theorem 4 (necessary condition for safeness) it 
follows that in a live and safe Free Choice net every minimal deadlock 
is a SCSM. Conversely, a SCSM is always a minimal deadlock and con- 
tains a trap, namely itself. 

Hence : 
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Live-and-Safeness Theorem : A Free Choice net is live and safe if and only 
(Theorem 6) if it is covered by one-token SCSM's and every 

minimal deadlock is a marked SCSM. 



The following example shows the importance of the word marked 



SCSM: 




covered by one- token SCSM's 
every minimal deadlock is a SCSM 
some minimal deadlock is blank 

not Live and Safe 



covered by one- token SCSM's 

- every minimal deadlock is SCSM, 
and marked 

some minimal deadlock has 2 
tokens 

Live and Safe 
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Corollary : A Free Choice net has a live and safe marking if and only 
if it is covered by SCSM's and every minimal deadlock is a 
SCSM. 

Proof: The only- if part follows immediately from Theorem 6. Now 
suppose every minimal deadlock is a SCSM, hence contains a 
trap: The marking that has at least one token on each 
SCSM is live. Then, by Theorem 5, it has a live-and-safe 
marking. 

q.e.d. 



This empty page was substituted for a 
blank page in the original document. 
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CHAPTER 5 
Decomposition of Free Choice Petri Nets 

5 . 1 Well-Formedness in Free Choice Petri Nets 

In the Live-and-Safeness Theorem (Theorem 6) we used the concept 
of a covering by Strongly Connected State Machines. In this chapter 
we shall consider an algorithm for obtaining such a decomposition. 
There may be several possible coverings of SCSM's that satisfy the 
corollary of Theorem 6 (Existence of a Live-and-Safe Marking). Our 
algorithm will produce all such coverings. If the net has no SCSM 
coverings that satisfy Theorem 6, the algorithm will produce subnets 
that are not strongly connected, or not State Machines. This gives us 
yet another test for the existence of a Live-and-Safe Marking in a Free 
Choice net. 

For convenience, we shall call a Free Choice net that satisfies the 
corollary of Theorem 6 a We 11- Formed (WF) Free Choice Net. This chapter 
then discusses various Well-Formedness criteria and tests. 

Definition : A Free Choice Petri Net is We 11- Formed if it is covered by 
Strongly Connected State Machines and every minimal dead- 
lock is a Strongly Connected State Machine. 

Corollary : A Free Choice Petri Net has a Live-and-Safe Marking if and 
only if it is Well-Formed . 

FC: ^LS o WF 

5 . 2 Duality, Reverse -Duality; Open and Closed Consistent Subnets 

The decomposition algorithms and proofs in this chapter require the 
definition of some new concepts. 

If we compare the definitions of Deadlocks and Traps, or State 
Machines and Marked Graphs, we note a striking similarity: A Trap has 
the same definition as a Deadlock if we reverse all arrows , i.e. if we 
transpose, throughout the definition, the words input and output . A 
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Marked Graph has the same definition as a State Machine if we transpose, 
throughout the definition, the words place and transition . In the first 
case, we say that a Deadlock is the reverse of a Trap (and vice versa); 
in the second case, we say that a Harked Graph is the dual of a State 
Machine (and vice versa). 

If we now look at the definition of a Free Choice Net, we observe 
that by transposing the words input and output (and also transpose to and 
from ), and then transposing the words place and transition, we get the 
same definition : 

before : Every arc from a place to a transition is either the 

unique input arc to a transition , or the unique output 
arc from a place . 

after ; Every arc to a transition from a place is either the 
unique output arc from a place , or the unique input 
arc to a transition . 

We express this by saying that the reverse-dual of a Free Choice Net is 
a Free Choice net. 

Formally, we have: 

Definition : • The reverse of a Petri Net (II, Z, •) is a Petri Net 

(H'» Z'» o) such that there are two bisections cp and ^ : 




and 




t « t(t) o cp(p) 
(arr ow-r ever sa 1 ) 





primal 



reverse 
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Definition : 



The dual of a Petri Net (II, Z, ■ ) is a Petri Net 
(II', Z', o) such that there are two bijections cp and 



cp : H -» E '] 

t :E -♦ n' 



vp e n\ 



and 



P • t o cp(p) © ,[■ (t) 




Yt € E/ 
(place-transition interchange) 



CO (a) 



cp(b) 



cp(c) 




i'(x) 



\lf(y) 



primal 



dual 



Definition : • The reverse-dual of a Petri Net (II, I, • ) is the net 

(II', £ ' , o) such that there are two bijections 9 and 

cp : n -♦ z \ yp € n\ 

I and J p ■ t o ij. (t) o cp(p) 

is :E -* n/ Yt 6 E/ 




pr ima 1 



cp 



(a) 



cp(b) 



cp 



(c) 




reverse-dual 



It is clear that: reverse of dual = dual of reverse = reverse-dual 

dual of dual = primal 
reverse of reverse = primal 
reverse-dual of reverse-dual = primal 

(primal = the original net) 
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Lemma6: The reverse-dual of Free-Choice is Free Choice. 

State Machine is Marked Graph 
Marked Graph is State Machine 
Strongly connected is Strongly Connected. 

Proof : Let the primal be (II, £, •) 

Let the reverse-dual be ($(£), cp(II), °) 

where cp and f are bi jections . 

Then: (FC in primal) = (Vp € II Vt€E:p»t » p* = {t} or • t = £p)) 

But, in the reverse-dual, we get: 

p • t «* $ (t) . cp(p) 
p- = (t) o -cp(p) = (*(t)} 
't = (p) « ^(t)° = {cp(p)} 
hence: #(t) o <p(p) o °cp(p) = f*(t)} or |(t) = (cp(p)} 
p' • t' o 't' = {p 1 } or p" = {t'} 

The three remaining points of the Lemma are trivial. 

Example 1: Strongly connected Free Choice net. This example happens 
to be self - reverse-dual. 



primal 



reverse-dual 





My) 



■69- 



Example 2 



pr ima 1 



reverse-dual 




(both not strongly connected) 
State Machine Marked Graph 

We defined the notion of a consistent subnet defined by a set of 
places. The dual (and reverse-dual) notion of this is a consistent sub- 
net defined by a set of transitions, and consisting of these transitions 
and all places connected to them: 

Definition : A consistent subnet defined by a set of transitions T C V 
of a Petri Net (II, E> is the Petri net ('TUT', T) . 

We shall emphasize the distinction of the two kinds of consistent sub- 
nets by calling them closed and open respectively: 



Definition : • A closed consistent subnet is a subnet (II, S) such that 
T. = 'IlUn' (defined by its places) 

• An open consistent subnet is a subnet (II, S) such that 
II = "SUE' (defined by its transitions). 
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The distinction takes its name from the fact that the former is separated 
from the rest of the net by a boundary of transitions, the latter by a 
boundary of places (more "open" than transitions). 

To every statement about a Free-Choice Petri net corresponds a 
statement about the reverse-dual net: 



primal 



place 

input (to) 

input arc to a transition 

covering by SCSM's 

Closed Consistent Subnet 
SM-allocation 



reverse-dual 



transition 

output (from) 

output arc of a place 

covering by SCMG's 

(Strongly Connected Marked Graphs) 

Open Consistent Subnet 

MG-at location 



etc. 



Note also that the reverse of a trap is a deadlock, but we have no inter- 
pretation yet for the dual or the reverse-dual notion of a trap. 



5 .3 Decomposition of a Free-Choice Net into a Covering of SCSM's 

We shall describe a reduction method which, given an FC net, con- 
structs all possible SCSM's that form a covering. The method is such 
that if the net is well-formed, every reduction yields a SCSM and they 
cover the net; if the net is not well-formed, some reduction will not 
yield a SCSM, or the reductions will not cover the net. 

We recall, from the proof of Theorem 4, that in a Free Choice net 
we can construct a minimal deadlock by choosing any one of the input 
places to a transition that has one output place committed to the dead- 
lock. So, to reduce the net to one of its component SCSM's we make 
such a choice ahead of time for all transitions. 



The boundary of a subnet (V. ' , £') in a net (n, S) is the set 
[x|x e 11' U £' and (x - U "x) (01 - IT) U (E - £')) t 0} 
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We shall therefore define an allocation of input places to transi- 
tions much like we defined an allocation of output transitions to 
places in the proof of Lemmas 3 and 4. Since we wish to construct 
state machines, we distinguish this allocation by calling it a state- 
machine allocation, or SM-allocation. 

IMPORTANT NOTE : We shall from now on interpret "strongly connected" and 
"SC" as "consisting of strongly connected components." 

Hence, a reduced net consisting of several disjoint but individually 
strongly connected State Machines (or Marked Graphs) will also be called 
SCSM (or SCMC). 

Definition : An SM-allocation over, a Free Choice net (II, F) 
is a function B : £ -+ II such that: 

vt € s B(t) e *t 

Given such an SM-allocation B we will now reduce the net to a SCSM 
(if possible) that does not contain unallocated places: 

Step 1 : Delete all unallocated places . (II - B(£)) 

Step 2 : Delete all transitions that have all output places 
already deleted. 

Step 3 : Delete all places that have at least one output 
transition already deleted. 

Repeat Steps 2 and 3 until neither is applicable anymore. 

What is left over is the reduced net . Each step eliminates some elements 
that would not be part of a SCSM consistent with the SM-allocation. 

Formally, we construct the sets of eliminated places (E ) and tran- 
sitions (E ) as follows, given an SM-allocation B on a FC net (n, S) : 
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't - (B(t)} C E p 

t' £ E o t € E fc 
P t 



(step 1) 
(step 2) 



p* E fc * o p 6 E (step 3) 



Then the SM-r educed net is defined as the Petri Net (II - E , E-E ), 



say <Q p , Q t >. Hence: 



Q t - z - s t 



From the definition follows immediately: 

Q £ '(5 Q £ Q* 
x p x t x p x t 



and hence : 



Q p = -Q t n q; 



Now assume t" Q =0 
P 

It follows that: t" £ E 



t € E. 



t £ Q, 



Hence: (t € Q t ) =» (t* fl Q * 0) ** (3p € Q : t € # p) =» (t € *Q ) 



i.e. 



^t C '% 



Hence: 'Q U Q" £ (X £ 'Q 
x p x p x t x i 



i.e.: Q t =-Q p UQ p 

Q' £ 'Q 
P P 



(closed consistent subnet) 
(trap) 



Also, by construction, yt |"t D Q | s 1: (non- decreasing) 
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Lemma 7 : An SM-reduction of a FC net is a closed consistent subnet de- 
fined by a non-decreasing trap . 

We shall now prove a sufficient condition for Well-Formedness in terms 
of SM-reductions of a FC net: 

Theorem 7 : If every SM-reduction of a FC net is a SCSM, and they cover 
the net, then the net is WF. 

Proof: All that is required to prove is that every minimal deadlock 
(D, D') is a SCSM. 
We know that because D is minimal in a FC net, 

vt e d' I • t n d] = i 

We say that an SM-allocation B and the corresponding SM- 
reduction are consistent with the minimal deadlock D 

if: Vt € D" : *t fl D = (B(t)) 

Such allocations exist because of the fact that |'t P DJ =1. 
(Note that, since the deadlock is minimal, this implies 
B(D') = D.) 

First, we show that the minimal deadlock D must inter- 
sect each SM-reduction <Q , Q > consistent with D, i.e. that 
D H Q * 0. 

Assume the contrary: D fl Q =0 for every SM-allocation 

B consistent with D, whose associated SM-reduction is <Q , Q > . 

p t' 

case 1 : Vt € D" | "t | = 1 

In this case, every SM-allocation is consistent with D, 
hence deletes all of D (since, by assumption, D H Q =0). 
This contradicts the fact that the reductions cover the net. 

case 2 : yt 6 D' !' tl a 2 

- o 'I 

For any SM-allocation B 1 not consistent with D, let: 
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•t o n d = {p o 3 

B'(t o )= Pl 

p, 4 p (B' not consistent with D) 
r l r o 

Then, every SM-allocation not consistent with D (such as B') 

deletes p (Step 1: p is unallocated). But, by assumption, 

every SM-allocation consistent with D also deletes p : 

The reductions do not cover: contradiction . 

Hence : Every minimal deadlock D intersects some SM-reduction 

(Q , Q^ consistent with D: 
p t 

D fl Q * 

Now, let p € D fl Q 

then: "p c D* because D is a deadlock. 

"p c Q because the reduction is a Closed Con- 
sistent subnet. 

also, Yt € *p : *t n D = B(t) € Q , 

because the reduction (Q , Q,.)» defined by SM-allocation B, 
is consistent with (D, D*). 

Hence: * (*p) n D c Q f\ D 

By repeating this process for each place in *("p) along back- 
wards paths until D or Q is exhausted (which must happen 

since D and Q are minimal deadlocks — the latter because it 

P 
is SCSM — and hence every place can be reached by a back- 
wards path) we get D £ Q or Q CD. But since both are mini- 
mal deadlocks, we must have: 

»-«p 

Hence D is SCSM. 

q.e.d. 
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5 . 4 Decomposition of a F C Net Into a Covering of Strongly Connected 
Marked Graphs 

A Free-Choice Net can be considered as an extension of State Ma- 
chines by allowing Marked-Graph-type concurrency, or as an extension of 
Marked Graphs by allowing State-Machine-type conflict. Historically, 
this view is at the origin of the concept of Free-Choice nets. 

So far, we were concerned with the State-machine-like behavior of 
FC nets. But, noting that the reverse-dual of a FC net is also FC, 
we shall now use this as a tool for analyzing Marked-Graph-related 
properties . 

We used SM-allocation reduction to get a decomposition into Closed 
Consistent Subnets. Now, we define Marked-Graph allocation as the re- 
verse-dual concept and use it to get Open Consistent Subnets . 

Definition : A Marked-Graph Allocation (MG-allocation) over a Free Choice 
net (n, S) is a function 

A : II -* T. 

such that Vp € II : A(p) € p* 

This is exactly the type of allocation we used over a sub- 
set of places in the proof of Theorem 2. 

Now we define MG-reduction, given an MG-allocation A, by translating the 
definition of SM-reduction into the corresponding reverse-dual concepts : 

Step 1 : Delete all unallocated transitions . 

Step 2 : Delete all places that have all input transitions al- 
ready deleted. 

Step 3 : Delete all transitions that have at least one input 
place already deleted. 

Repeat Steps 2 and 3 until neither is applicable anymore. 
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What is left aver is the reduced net. Each step eliminates some 
elements that would not be part of a SCMG consistent with the MG- 
al location. 

However, we can also interpret this reduction as the elimination 
of all those parts in the net that would not be active if we were to use 
the allocation as a choice for multiple-output places: We deliberately 
choose not to fire unallocated transitions (Step 1); if all token flow is 
interrupted to a place, that place becomes inactive (Step 2); and if 
some input place to a transition is inactive, that transition will be 
inactive (Step 3). This description is informal at best, but if we 
interpret "inactive" as "receiving only a finite number of tokens," or 
"firable only a finite number of times," it will be useful for proofs 
about liveness . 

Formally, we define the reduced net as follows: 

- Sets of deleted places E , deleted transitions E. : 

p» t 

p" - {A(p)} c E t (Step 1) 




*p c E o p e E (Step 2) 

*t E ^ «* t£E, (Step 3) 
P c 

The MG-reduced net, via MG-allocation A, is the net (Q , Q > 

where Q = II - E 
P P 

Q t = Z - E t 
As in the case of SM-reduction, we get by reverse-duality: 
Q = Q" U "Q t = Q' ; Open Consistent Subnet 

•Q t = q; 

Vp |p" n Q I £ 1 Conflict-free 

We have no significant interpretation yet for "Q £ Q". We summarize 
these facts by : 
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Lemma 8 : An MG-reduction of a FC net is a conflict-free open consistent 
subnet. MG-reductions provide us with a necessary condition 
for well-formedness. 

Lemma 9; if some MG-reduction of a FC net is empty the net is not live. 



Proof = If some MG-reduction is empty, the set of eliminated transi- 
tions E fc and eliminated places E form the whole net, for some 
MG-allocation A. Let us do the reductions step by step and 
check for possible firings of the eliminated transitions by 
A-sequences (see proof of Theorem 2). 

Step_l: No A-sequence fires any unallocated transition, by 
definition. We start building E with transitions 
firable at most a bounded number of times. 

Step__2: Eliminate those places that have only deleted input 
transitions. By inductive hypothesis, these transi- 
tions can only fire a bounded number of times. 
Hence, these eliminated places can fire their output 
transitions only a bounded number of times. 

Step__3: Eliminate those transitions that have at least one 
input place deleted. By the explanation of step 2, 
they can fire only a bounded number of times : This 
supports the inductive hypothesis of bounded firabil- 
ity for a repetition of steps 2 and 3 . 

Since all transitions will be eliminated by hypothesis, every 
A-sequence can fire each transition only a bounded number of 
times . 

Now let M be any marking, and let a be an A-sequence such that 

no transition is firable by an A-sequence starting at 

M 1 = M[ct>. We just proved the existence of such an A-sequence. 
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By the same reasoning as used in the proof of Lemma 4, we show that 

every firing sequence starting at M' must be an A-sequence, i.e. 

no transition can be fired by any firing sequence starting at 

M'. For suppose some transition is firable at M 1 . It must be 

an unallocated transition t £ p" - [A(p )} for some p , since 

o o o o' 



it must be part of a non-A-sequence. But, by Free Choice 
hypothesis : t firable o A(p ) firable, which contradic 
the assumption that no A-sequence can fire at M'. 



q.e .d. 



Lemma 10 : If some MG-reduction of a live FC net is not a SCMG , the net 
is unsafe . 

Proof : a) Let us consider the MG-reduction within the original net . 
Since each transition in the subnet has all the places con- 
nected to it both in the original net and in the subnet ( open 
consistent subnet ) a transition is firable in the subnet if 
and only if it is firable in the original net, and the effect 
of that firing on the marking is the same. Hence, if a 
firing in the subnet leads to an unsafe marking, the net is 
unsafe; if it leads to a marking where no transition in the 
subnet can be fired (A-sequence), then no firing sequence in 
the original net can fire any transition in the subnet; in this 
latter case, the same argument used in Lemma 4 and Lemma 9 ap- 
plies again. 

Hence : Net live => MG-reduction live 

MG-reduction unsafe =* Net unsafe 

b) Now consider the MG-reduced net \Q , Q ) alone. Assume 
it has a live marking. We shall show it is unsafe if it is not 
a SCMG. 
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- if it is not strongly connected, it must be unsafe 





(We must assume here that no transition t is such that t* =0; 
but this is guaranteed if the original net does not contain 
such a transition.) 

if it is not a Marked Graph, it must contain a place p with 
more than one input transition, since more than one output 
transition is excluded by construction. Since 'Q Q Q" 
there exists an infinite backwards path from each input tran- 
sition to p, i.e. the backwards path ends in a loop. There 
are two cases : 




the paths do not intersect: 
Then liveness implies that t 1 
and t„ be concurrently firable, 
hence p is unsafe. 



< 



P> 
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the paths intersect. Then, since no place has several outputs, 
the paths must re combine at a transition: 



Again, liveness implies unsafeness . 

Hence: not SCMG\ 

unsafe 
live 



q.e.d. 



Lemma 11 : If, in a Strongly Connected Free Choice net, every MG-reduction 
is strongly connected and non-empty , the reductions cover the 
net. 

Proof : If the transitions are covered, the places are covered because 
the reductions are open consistent subnets. Assume some tran- 
sition _t is not covered, i.e. t is not in any MG-reduction. 
Since the net is strongly connected, we have: Vt, |*t| s 1. 

Case 1 : |*t| = 1. Then, if every reduction eliminates t, 
every reduction must eliminate "t, hence all of 
'('t) (Step 2 of reduction). If all t' € *('t) 
are such that |"t'| = 1, repeat case 1 for some 
t 1 . If not, apply case 2 . 

Case 2 : |*t| ^ 2. This case must arise at some time be- 
cause if not the search assumed in case 1 would 
exhaust the net, which contradicts the assumption 
that no reduction is empty. 
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But now, by Free Choice hypothesis, each place in ' t ia a 
single-output place. If each reduction eliminates all of 
't, repeat the argument for t 1 6 *("t) as in case 1. 

If some reduction eliminates only part of 't, since it 
eliminates t there would be places without output transi- 
tions in the reduced net : not strongly connected . 

In any case, the existence of an uncovered transition im- 
plies the existence of either an empty or a non-strongly- 
connected MG-reduction. 

q.e .d. 

From Lemmas 9, 10, and 11 and Theorem 6 with the well-formedness 
colollary we get : 

Theorem 8 : If a Free Choice net is Well-Formed , every MG-reduction is 
a non-empty SCMG and the reductions cover the net. 

5 .5 The Well-Formedness Theorem 

We are now ready for the Well-Formedness Theorem, which includes all 
criteria for the existence of a Live and Safe Marking, including Theorems 
7 and 8 and their converses. 

Well-Formedness Theorem : In a Free Choice Petri net, the following are 
(Theorem 9) equivalent : 



a) The net is Well-Formed ; 

f- every minimal deadlock is SCSM 
I- there is a covering of SCSM's 



{: 



b) The net has a Live and Safe marking. 

c) The reverse-dual is Well-Formed . 

d) Every SM-reduction is a SCSM , the reduc- 
tions cover the net, no reduction is empty. 
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e) Every MG-r eduction is a SCMG, the reduc- 
tions cover the net, no reduction is 
empty. 



Proof: 



Note : If a is a statement about a FC-net, let a' be the same 
statement for the reverse-dual of the net. 
Example : c = a ' 

a « b : Corollary of Theorem 6 

a => e : Theorem 8 

e o d', reverse-dual of e for the reverse-dual net, i.e. 

(e for primal) o (d for reverse-dual) 

If the primal is such that every MG-reduction is a SCMG etc., 
the reverse-dual is such that every SM-reduction is a SCSM. 



d 1 
d' 



M 



Theorem 7 

for the reverse-dual net 



a ' => e * : Theorem 8 , 

e' o d : reverse-duality 

d => a : Theorem 7 

We have the following diagram : 



Primal 



1 ^ 

f 

boa 

t 



Reverse -dual 






(c = a') a 1 « b* 
d < _> e' 
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The implication path is closed and hence gives us the equivalence 
of statements a, b, c, d, e, a', b', d' and e'. 

Remark: Statement d is more complete than the one used in 
Theorem 7; the part "no SM-reduction is empty" follows by re- 
verse-duality of the full statement of Theorem 8. It is not es- 
sential in the proof of this theorem. 



q.e .d. 



5 . 6 Examples of Decompositions 

We give below four examples of non-Well -Formed Free Choice Petri 
Nets. All four are strongly connected, but show different possibilities 
of structural unsoundness. 



Examp le 1 : 




(Reductions shown are super- 
imposed in bold on the original 
net . ) 



- one MG-reduction is not a MG (shown), 

- one SM-reduction is not a SM . 

- the other SM-reduction is emp ty . 

- MG-reductions cover, the SM- 
reductions do not cover. 



This example has live markings : The minimal deadlocks are 
(P-i) P ? > pJ, which is a trap, and {p p p }, which contains the 
trap [p„, PaJ • But no live marking is safe. 



Example 2 : 
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Example 3 : 



one MG-r eduction is not SC (shown) . 

the other MG-reduction is empty . 

one SM-reduction is empty . 

neither SM-reductions nor MG-reductions 
cover the net. 




two MG-reductions (one is shown) are 
SCMG's and cover the net. 

the two other MG-reductions are empty . 

same for SM-reductions (the net is 
self -reverse -dual) 



Examples 2 and 3 have no live markings : The empty MG-reduction guaran- 
tees the existence of a killing sequence. 
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Example 4 : 




This Petri Net has no live marking, but it contains a live subnet 
f(Pp ^2)' ^ fc i» t 2^ # Tnis subnet will be covered by every MG- 
reduction. We call such a Petri Net pseudo-live: a pseudo-live 
marking is a marking such that some, but not all, transitions are 
live. 
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MG-reduction no. 1 of Example 4 : 




unallocated arc: p. • t. 

The MG-reduction is not a Marked Graph. 
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MG-reduction no. 2 of Example 4 : 




unallocated arc: p. • t, 

3 4 

The MG-reduction is not strongly connected. 

The two MG-reductions cover everything except t. 
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SM-reduction no. 1 of Example 4 : 




unallocated arc: p • t 



Hie reduction is not a State Machine and not strongly connected. 
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SM-reductton no. 2 of Example 4 : 




unallocated arc: p, • t,. 

4 5 

The reduction is not strongly connected. 

The two SM-reductions cover everything except p. 
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CHAPTER 6 
Application of the Mathematical Results 

In this chapter, we present the full decomposition of the example 
of a Well-Formed Production Schema shown in 2.3. 

The next pages show first a reproduction of the example and the 
corresponding Petri Net. The labels on the Production Schema indi- 
cate the corresponding Petri Net elements. Some contractions have 
been performed in the translation process, as suggested in 2.4. We 
also have used only one transition to represent the two operations 
labeled j and j' in the Production Schema; this of course does not 
change the structure of dependencies. 

We then present all SM-reductions superimposed in bold on the 
original net. For each reduction, we indicate the SM-allocation by 
crossing out the unallocated arcs . 

We record the progress of the reduction algorithm by numbering 
the elements as they are eliminated. The unallocated places, disap- 
pearing at step 1 (cf 5.3), are labelled (1). The transitions elim- 
inated by the first application of step 2 are labelled (2); those 
eliminated by the n application of step 2 are labelled (2n). The 
places eliminated by the n application of step 3 are labelled (2n + l). 

Since there are three two-input transitions, and all other transi- 
tions have a single input place, the unallocated arcs will be chosen 

3 
from three pairs of arcs. We therefore expect eight (2 ) possible SM- 
reductions . 

However, two different SM-allocations may yield the same reduced net. 
This is illustrated in the first example (SM-reduction No. 1): We no- 
tice that the choice at transition c eliminates transition m on move (4), 
and this independently from the choice made at m. Hence, the choice be- 
tween L and M for the allocation at m is irrelevant: The two allocations 
yield the same reduced net. The same applies to SM-reduction No. 4. 

In SM-reductions Nos . 5 and 6, we also notice a multiple-input tran- 
sition, namely h, that has been deleted. However, this is due to the 
combined choice at c and h; if we allocated G to h instead of K, we do 
not delete h (SM-reductions Nos. 2 and 3). 
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Well-Formed Production Schema 
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Well-Formed Free Choice Petri Net 
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unallocated arcs: K • h, I • c, L • m (for 1 bis: M • m) 
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Th e SM-allocation of SM-reduction 1 is formally the function B, 
consisting of the set of pairs <fx, B(x)): 

argument : x <E £ abcdefghijklm 

value: B(x) € *x ABCBFDFGHHJEL 

We get the same reduced net by replacing the argument -value pair 

(m, L> by <m, M> . We distinguish the allocations yielding SM-reduction 

No. 1 by calling them SM-allocation No. 1 and No. 1 bis respectively. 

We also note that a reduction may consist of several disjoint 
parts. This should not be surprising, and the warning on page was 
given with this in mind. It is simply convenient not to distinguish 
between the two interpretations of "strongly connected;" context 
usually makes the difference clear when it is relevant (when talking 
abou t minimal deadlocks for example). We shall say individual SCSM if 
we want to emphasize one component. 

The individual SCSM's (the minimal deadlocks) are the SM-reductions 
Nos. 1, 4, 5, 6. SM-reduction Nos . 2 and 3 are combinations of 1 and 6 
respectively 5. In this net, all minimal deadlocks are required to cover 
the net. In terms of reductions, only three are required: 2, 4, and 5 
for example. 

There are 8 SM-allocations (the product of the number of input arcs 
over all transitions) yielding 6 different SM-reductions and 4 indivi- 
dual SCSM's. Note also that the union of SM-reductions No. 3 and No. 6 
covers all transitions, but leaves out places C and K. 

From the SM-decomposition we can infer a few facts about a possible 
live-and-safe marking. 

Since there are four minimal deadlocks, and each has at least one 
place that appears in no other individual SCSM (four such places are G, 
K, L, M for example), the maximum number of tokens in the net Is four. 

- Since no place is shared by more than two individual SCSM's, but A 
is shared by two SCSM's and H by the other two, the minimum number of 
tokens in a live and safe marking is two. It is also easy to see that 
there is only one live-and-safe marking class, determined by the initial 
marking {A, H} for example. 
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MG-reduction No. 2 
No. 2 bis 
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MG-r eduction No. 6 
No. 6 bis 
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Th e MG-reductions have been constructed in an analogous way. 
Again, unallocated arcs have been crossed out. The MG-allocation for 
MG-reduction No. 1, for example, is the function A, consisting of the 
set of pairs (x, A(x)> : 

argument: x € II ABCDEFGHIJKLM 

value: A(x) € x" abcflehickhmm 

The unallocated transitions are d, g, j. 

Much of what has been said about SM-reductions can be said about 
MG-reductions. We again have 8 MG-allocations (product of the number 
of output arcs over all places) yielding 6 distinct MG-reductions and 
4 individual SCMG's: reductions Nos . 1, 4, 5 and 6 . The coincidence 
with SM-reductions is totally fortuitous (even the fact that MG- 
reductions Nos. 2 and 3 are composed of reductions No. 1 plus 6 and 6, 
respectively); to show this, it is enough to imagine an additional choice 
for B, going to F via a new transition n, for example. Now we would have 
12 MG-allocations, and we would get more SCMG's , but the only change to 
SM-reductions would be that the individual SCSM No. 1 would look differ- 
ent in SM-reductions Nos. 1, 2 and 3. 

Note that MG-reduction No. 4 covers all places by itself, but tran- 
sitions e, d and j are not covered. A complete MG-covering would be 
2, 4, 5 for example, consisting of all four individual SCMG's. 

We can consider a covering by SCSM's as a set of State Machines 
communicating by exchanging synchronization signals via shared transi- 
tions h, m and c. Since we interpret the net as a representation of 
some production facility, these transitions correspond to points where 
one process must wait for another. If two transitions, say c and j, 
belong to the same individual SCSM, they may represent facilities 
using the same resources, since they will never compete for common re- 
sources . 
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The decomposition into Marked Graphs shows concurrency among the 
composing State Machines. But it also shows possible complete inde- 
pendencies. For instance, MG-reductions Nos. 2 and 3 consist of two 
disjoint SCMG's. The two SCMG's of MG-reduction No. 2, however, can- 
not operate concurrently, because the individual SCMG No. 5 intersects 
the individual SCSM No. 1 containing SCMG No. 1: SCSM No. 1 would con- 
tain two tokens. But all four individual SCSM's are needed for the 
covering, and hence all must be one-token SCSM's. 

On the other hand, this restriction does not apply to MG-reduction 
No. 2, where the two components are indeed totally independent of each 
other. 

An interesting result for production facilities obtained from the 
Well-Formedness Theorem in connection with MG-reductions is the 
following : 

If a production facility "works properly" for every constant 
set of decisions (constant predicates for multiple choice 
places) (i.e. every MG-reduction is LS, hence SCMG) then it 
"works properly" for any dynamic choice (i.e. the net is LS). 
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CONCLUSION 

This thesis has extended the structural analysis methods to concur- 
rent systems with decisions and conflicts. Before, most work in this area 
was concerned with marked-graph type schemata [3 , 12 ] . Baer, Bovet and 
Estrin restricted themselves to directed acyclic bilogical (i.e. con- 
junctive and disjunctive nodes) graphs [1 ]. The legality they refer to 
corresponds to our Well-Formedness ; in that sense this thesis extends 
their work to directed cyclic bilogical graphs. 

The concept of decomposition of Petri Nets seems very promising. 
It permits the identification of meaningful subsystems and their inter- 
connections in a complex system. It may be used to enhance structural 
transparency in the synthesis of complex concurrent systems. It also 
provides criteria for the hang-up free interconnection of State Ma- 
chines, and sheds a new light on the results about the interconnections 
of determinate systems obtained by Patil [17]. 

An interesting field of future research is the semantic interpre- 
tation of the decomposition results, notably the significance of the 
dual coverings -- by Marked Graphs and by State Machines -- of Petri 
Nets. We expect a strong influence in this field from recent research 
on the semantics of Petri Nets, by Holt [11]. 

A different approach to decomposition has been made by Furtek [8]. 
It is based on an analysis of the information flow along arcs that gov- 
erns the token flow at firings. Combining the two approaches should 
prove very fruitful. 

The next step will be to extend our results and methods to wider 
classes of Petri Nets. Simple Nets seem to be the next target, and a 
few results similar to those for Free Choice Nets have already been ob- 
tained for Simple Nets. Ultimately, we hope to gain a full understanding 
of the structural properties of General Petri Nets, and we expect that 
some of the tools provided in this thesis will be useful to that effect. 
If we get theorems and Live-and-Safeness criteria similar to those ex- 
pressed here for a larger class of Petri Nets, we will be able to ex- 
tend the definition of Production Schemata to represent and analyze an 
even larger class of Systems. 
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